15 years of Web SecurityThe Rebellious Teenage Years

Jeremiah GrossmanFounder: WhiteHat Security, Inc.

Twitter: @jeremiahg

Jeremiah GrossmanHacker2015 OWASP WebAppSec Person of the Year Brazilian Jiu-Jitsu Black Belt

WhiteHat Security

We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them.

Founded

2001Headquarters

Santa Clara

Employees

300+

WhiteHat Security

We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. 7 of 18

Top CommercialBanks

10 of 50Top Largest

Banks

6 of 16Top SoftwareCompanies

4 of 8Top Consumer

Financial Services

1000+Active Customers

#63Fortune 500

My Areas of Focus Threat Actors: Innovating, scaling, or both? Intersection of security guarantees and cyber-

insurance Easing the burden of vulnerability remediation Measuring the impact of SDLC security

controls Addressing the application security skill shortage

Threat Actors

Hacktivists Organized Crime Nation State Terrorists?

WebApp Attacks Adversaries Use

“This year, organized crime became the most frequently seen threat actor for Web App Attacks”

Verizon 2015 Data Breach Investigations Report

OS CommandingForced Browsing

Path TraversalXSS

Brute ForceAbuse of Functionality

RFISQLI

Use of Backdoor or C2Use of Stolen Credit Cards

1.5%2.0%3.4%

6.3%6.8%8.3%8.3%

19.0%40.5%

50.7%

Security Industry Spends Billions

“2015 Global spending on information security is set to grow by close to 5% this year to top $75BN, according to the latest figures from Gartner”

Vulnerability Likelihood (1 or more)

Insufficie

nt Tran

sport

Laye

r Prot

ection

Inform

ation

Leak

age

Cross S

ite Scri

pting

Brute Fo

rce

Conten

t Spoo

fing

Cross S

ite Req

uest Fo

rgery

URL Red

irecto

r Abuse

Predict

able

Resource

Locat

ion

Session

Fixa

tion

Insufficie

nt Authori

zation

Directo

ry Index

ing

Abuse of

Functi

onalit

y

SQL Injec

tion

Insufficie

nt Pass

word Reco

very

Fingerp

rintin

g0%

10%20%30%40%50%60%70%80%90%

100%

70%56%47%

29%26%24%16%15%11%11% 8% 6% 6% 6% 5%

Average Time-to-Fix (Days)

Transp

ortati

on

Arts & En

tertai

nment

Accommod

ation

Profes

sional

& Scientifi

c

Public

Administrat

ion

Other Serv

ices

Informati

on

Educat

ional

Service

s

Health

Care & Soci

al

Finan

ce & In

suran

ce

Manufa

cturin

g

Utilitie

s

Retail T

rade

0

50

100

150

200

250

7397 99 108 111 130 132 136 158 160

191 192227

Windows of Exposure A large percentage of websites

are always vulnerable 60% of all Retail are always

vulnerable 52% of all Healthcare and Social

Assistance sites are always vulnerable

38% of all Information Technology websites are always vulnerable

39% of all Finance and Insurance websites are always vulnerableRetail Trade

Information

Health Care &_x000d_Social Assistance

Finance &_x000d_Insurance

60%

38%

52%

39%

9%

11%

11%

14%

10%

14%

12%

11%

11%

16%

11%

18%

11%

22%

14%

17%

Always VulnerableFrequently Vulnerable (271-364 days a year)Regularly Vulnerable (151-270 days a year)Occasionally Vulnerable (31-150 days a year)Rarely Vulnerable (30 days or less a year)

Ranges of Expected Loss by Number of Records

RECORDS PREDICTION(LOWER)

AVERAGE(LOWER)

EXPECTED AVERAGE(UPPER)

PREDICTION(UPPER)

100 $1,170 $18,120 $25,450 $35,730 $555,660

1,000 $3,110 $52,260 $67,480 $87,140 $1,461,730

10,000 $8,280 $143,360 $178,960 $223,400 $3,866,400

100,000 $21,900 $366,500 $474,600 $614,600 $10,283,200

1,000,000 $57,600 $892,400 $1,258,670 $1,775,350 $27,500,090

10,000,000 $150,700 $2,125,900 $3,338,020 $5,241,300 $73,943,950

100,000,000 $392,000 $5,016,200 $8,852,540 $15,622,700 $199,895,100

Verizon 2015 Data Breach Investigations Report

Result: Every Year is the Year of the Hack“In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times.

This increased from 62% and 16% respectively from 2013. 52% said their organizations will likely be successfully hacked in the next 12 months.

This is up from 39% in 2013.”

Survey of Security professionals by CyberEdge

Downside ProtectionAs of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in 2013.

Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth.

It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance.

Downside Protection“Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.”

“Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.”

Downside Protection“Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.”

“Insurers providing excess layers of cyber coverage include: Lloyd’s of London syndicates: operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.”

Information Security Spending (Global)_x000d_~ $3.8 billion in new

spending (+4.7%)

Cyber-Security Insurance_x000d_~$3.2 billion in spending (+67%)

Application Security Market (+15%)

$3,800,000,

000

$3,200,000,

000

$1,000,000,

000

2014 – 2015 New Security Investment vs. Cyber-Insurance

Ever notice how everything

in the information securityindustry is sold “as is”?

No GuaranteesNo WarrantiesNo Return Policies

InfoSec is a $75 Billion Garage Sale

“The only two products not covered by product liability are religion and software, and software shall not escape much longer”

Dan GeerCISO, In-Q-Tel

Software Security Maturity Metrics Analysis The analysis is based on 118 responses on a survey

sent to security professionals to measure maturity models in application security programs at various organizations.

The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe.

If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance?

56% of all respondents did not have any part of the organization held accountable in case of data or system breach.

Board

of Dire

ctors

Execut

ive Man

agem

ent

Softw

are Deve

lopment

Securi

ty Dep

artmen

t0%

10%

20%

30%

40%

9%

29% 28% 30%

If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance?

Board of Di-rectors

Executive Management

Software Develop-

ment

Security Department

100110120130 129

119108 114

Average Time to Fix (Days)

Board of Di-rectors

Executive Management

Software Develop-

ment

Security Department

30%35%40%45%50% 44% 43%

37%43%

Remediation Rate

Board of Di-rectors

Executive Management

Software Develop-

ment

Security Department

0102030

10 1017

25Average Number of Vulns Open

Please rank your organization’s drivers for resolving website vulnerabilities. “1” being your lowest priority, “5” being your highest.

15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities.

6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities.

35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities.

19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities.

25% of the respondents cite other reasons for resolving website vulnerabilities.

Compli

ance

Corpo

rate P

olicy

Risk R

educt

ion

Custo

mer or

Partn

er Dem

and

Other

15%6%

35%

19%25%

% o

f Re

spon

dent

s

Please rank your organization’s drivers for resolving website vulnerabilities. “1” being your lowest priority, “5” being your highest.

Compliance Corporate Policy

Risk Re-duction

Customer or Partner Demand

Other0

50100150200

13286 78

163 150

Average Time to Fix (Days)

Compliance Corporate Policy

Risk Re-duction

Customer or Partner Demand

Other0%

20%

40%

60% 55%

21%40% 50%

33%

Average Remediation Rate

Compliance Corporate Policy

Risk Re-duction

Customer or Partner Demand

Other0

102030

1421

28 28

10

Average Number of Vulnerabilities

SECURITY CONTROLS # OF OPEN VULNS TIME-TO-FIX REMEDIATION RATE

Automated static analysis during the code review process + + -QA performs basic adversarial tests + - +Defects identified through operations monitoring fed back to development

- + -Share results from security reviews with the QA + - +

There are NoBest-Practices

Thank YouJeremiah Grossman

Founder: WhiteHat Security, Inc.Twitter: @jeremiahg